23 November 2013

Data Breaches and Dating

In a piece for TheConversation I've highlighted the willingness of The Australian, ie the News group flagship, to disregard the privacy of ABC journalists by publishing the salary details of those individuals.

If there is a compelling public interest in the disclosure of salaries (and News has as yet not made a case) we could presumably expect to see how much journalists at The Australian are getting paid and indeed whether or not they are receiving any benefit from outside News.

The disclosure in that newspaper is consistent with Rupert Murdoch's reported disavowal of his apology to the House of Commons inquiry into egregious disregard by his London executives and journalists of the privacy of celebrities and non-celebrities alike.

As yet the Australian Privacy Commissioner has been silent about News' disrespect for privacy. That silence is deeply regrettable and is not excused by a legalistic reliance on the media carve-out provided by s 7B of the Privacy Act 1988 (Cth). Irrespective of whether or not the OAIC has statutory power, the agency does have scope to exercise soft power, ie to use its moral authority to quickly and strongly condemn an abuse of privacy.

Failure of the OAIC to do so, yet again, raises questions about its regulatory capacity that go beyond disquiet about the adequacy of its formal powers, its resistance to provision of information under the Freedom of Information Act, its lack of resources (and more specifically its lack of technical expertise) and its hostility to legitimate criticism.

The OAIC's silence coincides with release of public submissions to the Australian Law Reform Commission regarding that body's issues paper about a statutory cause of action for serious invasion of privacy.

It also coincides with media coverage of a data breach involving Australian online dating service Cupid Media, with a hacker reportedly accessing client names, email addresses, unencrypted passwords and birthdays for around 30 million customers. The data apparently relates to current and "old, inactive or deleted accounts". Cupid's security regime appears to have been less than state-of-the-art and it would have been better, for example to encrypt the data or take information about inactive accounts wholly offline.

Its spokesperson offered the standard apology, being quoted as stating
we are committed to investigate this matter further and make any additional improvements still required. Protecting our customers' privacy and data is important to us and we will continue to make additional investments in improved security for our members. We sincerely apologise for the inconvenience this has caused our members.